Security Type Systems as Recursive Predicates

We show how security type systems from the literature of languagebased noninterference can be represented more directly as predicates defined by structural recursion on the programs. In this context, we show how our uniform syntactic criteria from [7,8] cover several previous type-system soundness results. 1 Security type systems As in Example 2 from [7, 8], we assume that atomic statements and tests are built by means of expressions applied to variables taken from a set var, ranged over by x,y,z. Thus, exp, ranged over by e, is the set of arithmetic expressions (e.g., x+ 1, x ∗ y+ 5). Then atomic commands atm∈ atom are assignment statements x := e and tests tst ∈ test are Boolean expressions built from exp (e.g., x > 0, x+ 1 = y+ z). For any expression e and test tst, Vars e and Vars tst denote their sets of variables. States are assignments of integers to variables, i.e., the set state is var → int. Variables are classified as either low (lo) or high (hi) by a fixed security level function sec : var →{lo,hi}. We let L be the lattice {lo,hi}, where lo < hi.1 We shall use the standard infima and suprema notations for L. Then ∼ is defined as follows: s ∼ t ≡ ∀x ∈ var. sec x = lo =⇒ s x = t x. We shall look into type systems from the literature, ::, assigning security levels l ∈ {lo,hi}, or pairs of security levels, to expressions and commands. All have in common the following: Typing of expressions: e :: lo if ∀x ∈ Vars e. sec x = lo e :: hi always Typing of tests (similar): tst :: lo if ∀x ∈ Vars tst. sec x = lo tst :: hi always The various type systems shall differ in the typing of commands. But first let us look more closely at their aforementioned common part. We note that, if an expression or a test has type l and l ≤ k, then it also has type k. In other words, the following covariant subtyping rules for tests and expressions hold: ⋆ This work was supported by the DFG project Ni 491/13–2, part of the DFG priority program Reliably Secure Software Systems (RS3). 1 One can also consider the more general case of multilevel security, via an unspecified lattice of security levels L—however, this brings neither much additional difficulty, nor much additional insight, so here focus on this 2-level lattice. e :: l l ≤ k e :: k (SUBTYPE-EXP) tst :: l l ≤ k tst :: k (SUBTYPE-TST) Thus, the typing of an expression or test is uniquely determined by its minimal type, defined as follows: